Results 1 to 14 of 14

Thread: whats the latest msn messenger worm?

  1. #1
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506

    whats the latest msn messenger worm?

    Hi!

    I have a friend that has a virus or something.

    Without her knowledge her msn sends this

    "eggs friend says:
    wow this one made my head spin"
    eggs friend says:
    h@@p://dosnet.us/lk/crazy.scr"

    DO NOT CLICK THE ABOVE LINK OR YOU WILL GET THE VIRUS

    Any ideas?
    Last edited by rik; April 6th, 2005 at 00:45 AM.
    ------------------------------------------------------------



  2. #2
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,046
    Does anyone read the front page ?

    http://www.techzonez.com/comments.php?shownews=12751

    =========== Please Read The Forum Rules ===========

  3. #3
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Yep it downloads allright AVK says it is a variant of Backdoor.Rbot - I cleaned this off a machine 2 days ago and it left quite a bit of crap in the registry. It's a bit of a naughty one see http://securityresponse.symantec.com...chod.b@mm.html although to be honest the one I cleaned doesn't right fit that description but it does fit yours, maybe it's another variant. I used Microworld Antivirus Toolkit to detect the poop then deleted manually.
    Last edited by Curio; April 5th, 2005 at 21:42 PM.
    I'm using Windows 7 - you got a problem with that?

  4. #4
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    I googled "eggs friend says" and it came up zip - that's the exact phrase I noticed in the other one so it must be a variant which isn't fully written up yet, it was detected though - it's also detected by bitdefender as Backdoor.RBot.28B373ED, which doesn't google either.
    I'm using Windows 7 - you got a problem with that?

  5. #5
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638
    Hope you don't mind by I edited your post EH so no one accidentally clicks the link.

  6. #6
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Quote Originally Posted by Curio
    I googled "eggs friend says" and it came up zip - .
    I replaced my friends name with "eggs friend"

    Thanks very much for your hard work guys!

    I checked out symantecs link and this thing looks impossible to clean.

    Does stinger detect it?
    ------------------------------------------------------------



  7. #7
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899

    Eggy Bread

    No the one I saw said 'eggs friend says' I remember thinking it was wierd at the time, and there were run keysa in the registry with 'eggs friend says' I thought it was something to do with easter - as it was easter. Maybe I am suffering from poor memory.

    Anyway you can rid yourself of it if you take your time and use some free tools. Firstly 1 of 3 possible ways to get your registry back
    1 Tool on Symantec's Site - it's an inf file but I can't remember name of it.
    2 Could use registrar lite www.resplendence.com usually works.
    3 Could use RegSeeker http://www.hoverdesk.net/freeware.htm may work for you.

    The stuff about the Hidden and SuperHidden is just the 'hide protected operating system files' and 'don't show hidden files' settings for explorer it's nothing major.

    You might also want HijackThis http://www.spywareinfo.com/~merijn/downloads.html and Killbox http://www.subratam.org/main/index.p...d=19&Itemid=41 as well as Microworld Antivirus Toolkit http://www.mwti.net/antivirus/mwav.asp to help you identify and delete the bad things.

    1/2 hour with those should see you right - good luck.
    I'm using Windows 7 - you got a problem with that?

  8. #8
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Thanks!

    I don't have it but a friend does and she knows nothing about the button that says disconnect.

    i appreciate your help
    ------------------------------------------------------------



  9. #9
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,735
    These new worms are employing greater social engineering tactics (from front page Rev )... its hard to tell if its legite or not

    Egg, you might be able to run the removal tool from symantec?

    --- 0wN3D by 3gG ---

  10. #10
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Quote Originally Posted by cash_site
    These new worms are employing greater social engineering tactics (from front page Rev )... its hard to tell if its legite or not

    Egg, you might be able to run the removal tool from symantec?
    Thanks!

    I looked at the removal instructions and symantec does not have a removal tool.

    I asked tyhe girl to download symantec av and she says that no virus was found but i think she did not intsall it and only let it scan option before the install so it really is not looking for the worm
    ------------------------------------------------------------



  11. #11
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    I installed it on a test VM - this is what it did

    Registry
    Keys ignored: 0
    (none)

    Keys added: 2
    HKEY_CURRENT_USER\Software\Microsoft\OLE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

    Values added: 4

    HKEY_CURRENT_USER\Software\Microsoft\OLE "ITUNES"
    Type: REG_SZ
    Data: itune.exe
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\fcbq\Qrfxgbc\penml.rkr"
    Type: REG_BINARY
    Data: 01, 00, 00, 00, 06, 00, 00, 00, 20, AE, 8D, 4F, 43, 3B, C5, 01
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ITUNES"
    Type: REG_SZ
    Data: itune.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "ITUNES"
    Type: REG_SZ
    Data: itune.exe
    Values changed: 4
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"
    Old type: REG_BINARY
    New type: REG_BINARY
    Old data: 01, 00, 00, 00, 19, 00, 00, 00, A0, 29, D0, 2A, 43, 3B, C5, 01
    New data: 01, 00, 00, 00, 1A, 00, 00, 00, 20, AE, 8D, 4F, 43, 3B, C5, 01
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "EnableDCOM"
    Old type: REG_SZ
    New type: REG_SZ
    Old data: Y
    New data: N
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa "restrictanonymous"
    Old type: REG_DWORD
    New type: REG_DWORD
    Old data: 00, 00, 00, 00
    New data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa "restrictanonymous"
    Old type: REG_DWORD
    New type: REG_DWORD
    Old data: 00, 00, 00, 00
    New data: 01, 00, 00, 00
    To Contents


    --------------------------------------------------------------------------------

    Disk contents
    Drives tracked: 1
    c:\


    Files added: 1
    c:\WINNT\system32\itune.exe
    Date: 7/22/2002 1:05 PM
    Size: 116,250 bytes
    Files deleted: 1
    c:\Documents and Settings\spod\Desktop\crazy.exe
    Date: 4/5/2005 10:02 PM
    Size: 116,250 bytes
    Files changed: 9 -- edited for brevity --

    The only file it ran was the newly installed 'itune.exe' after rebooting to make sure it was fully 'in' I opened regedit - it opened OK. I ran STM and top of the list was (you guessed it) itune.exe so I selected it clicked REMOVE selected 'move to quarantine' - that was it, bye bye itune.exe.

    This machine was not connected to any network or the internet, the machine I did previously was and was also infected with mucho spyware/adware - maybe part of it's process does that (if and when it can).

    It can't be the one referenced on symantec link - it didn't do any of that. So I ran it at Symantec Corp and it said 'W32.Spybot.Worm' not 'chod.b'. No worries at least you know what you are looking at.
    Last edited by Curio; April 7th, 2005 at 08:11 AM.
    I'm using Windows 7 - you got a problem with that?

  12. #12
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    This should clean up thje registry

    _______________________________________________________
    REGEDIT4


    [HKEY_CURRENT_USER\Software\Microsoft\OLE]
    "ITUNES"=-

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ITUNES"=-

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "ITUNES"=-

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
    "EnableDCOM"="Y"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
    "restrictanonymous"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "restrictanonymous"=dword:00000000

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"=-
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"=-


    ________________________________________________________________
    edit enabledcom and restrictanonymous as needed
    I'm using Windows 7 - you got a problem with that?

  13. #13
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    well done!

    hats off to you

    You've been makin some very technical posts and you are a very valuable member here.

    Thanks again
    ------------------------------------------------------------



  14. #14
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    I am glad to help if I can.

    Should say the extra bits remove the CLSID entries for 180 solutions, little bit of VX2 and Alexa
    Last edited by Curio; April 7th, 2005 at 22:09 PM.
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •